diff --git a/docs/remotes.rst b/docs/remotes.rst index f77bd73..58ab8ef 100644 --- a/docs/remotes.rst +++ b/docs/remotes.rst @@ -52,3 +52,19 @@ The Refspec type .. automethod:: pygit2.Refspec.dst_matches .. automethod:: pygit2.Refspec.transform .. automethod:: pygit2.Refspec.rtransform + +Credentials +================ + +.. automethod:: pygit2.Remote.credentials + +There are two types of credentials: username/password and SSH key +pairs. Both :py:class:`pygit2.UserPass` and :py:class:`pygit2.Keypair` +are callable objects, with the appropriate signature for the +credentials callback. They will ignore all the arguments and return +themselves. This is useful for scripts where the credentials are known +ahead of time. More complete interfaces would want to look up in their +keychain or ask the user for the data to use in the credentials. + +.. autoclass:: pygit2.UserPass +.. autoclass:: pygit2.Keypair diff --git a/pygit2/__init__.py b/pygit2/__init__.py index 8d40fc4..fc2e693 100644 --- a/pygit2/__init__.py +++ b/pygit2/__init__.py @@ -36,7 +36,7 @@ from _pygit2 import * from .repository import Repository from .version import __version__ from .settings import Settings - +from .credentials import * def init_repository(path, bare=False): """ @@ -51,30 +51,31 @@ def init_repository(path, bare=False): def clone_repository( url, path, bare=False, ignore_cert_errors=False, - remote_name="origin", checkout_branch=None): - """ - Clones a new Git repository from *url* in the given *path*. - - **bare** indicates whether a bare git repository should be created. - - **remote_name** is the name given to the "origin" remote. - The default is "origin". - - **checkout_branch** gives the name of the branch to checkout. - None means use the remote's *HEAD*. + remote_name="origin", checkout_branch=None, credentials=None): + """Clones a new Git repository from *url* in the given *path*. Returns a Repository class pointing to the newly cloned repository. - If you wish to use the repo, you need to do a checkout for one of - the available branches, like this: + :param str url: URL of the repository to clone - >>> repo = repo.clone_repository("url", "path") - >>> repo.checkout(branch) # i.e.: refs/heads/master + :param str path: Local path to clone into + + :param bool bare: Whether the local repository should be bare + + :param str remote_name: Name to give the remote at *url*. + + :param str checkout_branch: Branch to checkout after the + clone. The default is to use the remote's default branch. + + :param callable credentials: authentication to use if the remote + requires it + + :rtype: Repository """ _pygit2.clone_repository( - url, path, bare, ignore_cert_errors, remote_name, checkout_branch) + url, path, bare, ignore_cert_errors, remote_name, checkout_branch, credentials) return Repository(path) settings = Settings() diff --git a/pygit2/credentials.py b/pygit2/credentials.py new file mode 100644 index 0000000..1789022 --- /dev/null +++ b/pygit2/credentials.py @@ -0,0 +1,77 @@ +# -*- coding: utf-8 -*- +# +# Copyright 2010-2014 The pygit2 contributors +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License, version 2, +# as published by the Free Software Foundation. +# +# In addition to the permissions in the GNU General Public License, +# the authors give you unlimited permission to link the compiled +# version of this file into combinations with other programs, +# and to distribute those combinations without any restriction +# coming from the use of this file. (The General Public License +# restrictions do apply in other respects; for example, they cover +# modification of the file, and distribution when not linked into +# a combined executable.) +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to +# the Free Software Foundation, 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. + +# Import from pygit2 +from _pygit2 import GIT_CREDTYPE_USERPASS_PLAINTEXT, GIT_CREDTYPE_SSH_KEY + +class UserPass: + """Username/Password credentials + + This is an object suitable for passing to a remote's credentials + callback and for returning from said callback. + + """ + + def __init__(self, username, password): + self._username = username + self._password = password + + @property + def credential_type(self): + return GIT_CREDTYPE_USERPASS_PLAINTEXT + + @property + def credential_tuple(self): + return (self._username, self._password) + + def __call__(self, _url, _username, _allowed): + return self + +class Keypair: + """SSH key pair credentials + + This is an object suitable for passing to a remote's credentials + callback and for returning from said callback. + + """ + + def __init__(self, username, pubkey, privkey, passphrase): + self._username = username + self._pubkey = pubkey + self._privkey = privkey + self._passphrase = passphrase + + @property + def credential_type(self): + return GIT_CREDTYPE_SSH_KEY + + @property + def credential_tuple(self): + return (self._username, self._pubkey, self._privkey, self._passphrase) + + def __call__(self, _url, _username, _allowed): + return self diff --git a/src/pygit2.c b/src/pygit2.c index 9b6319e..bda9545 100644 --- a/src/pygit2.c +++ b/src/pygit2.c @@ -116,6 +116,14 @@ init_repository(PyObject *self, PyObject *args) { Py_RETURN_NONE; }; +static int +credentials_cb(git_cred **out, const char *url, const char *username_from_url, unsigned int allowed_types, void *data) +{ + PyObject *credentials = (PyObject *) data; + + return callable_to_credentials(out, url, username_from_url, allowed_types, credentials); +} + PyDoc_STRVAR(clone_repository__doc__, "clone_repository(url, path, bare, remote_name, checkout_branch)\n" "\n" @@ -144,11 +152,12 @@ clone_repository(PyObject *self, PyObject *args) { const char *path; unsigned int bare, ignore_cert_errors; const char *remote_name, *checkout_branch; + PyObject *credentials = NULL; int err; git_clone_options opts = GIT_CLONE_OPTIONS_INIT; - if (!PyArg_ParseTuple(args, "zzIIzz", - &url, &path, &bare, &ignore_cert_errors, &remote_name, &checkout_branch)) + if (!PyArg_ParseTuple(args, "zzIIzzO", + &url, &path, &bare, &ignore_cert_errors, &remote_name, &checkout_branch, &credentials)) return NULL; opts.bare = bare; @@ -156,6 +165,11 @@ clone_repository(PyObject *self, PyObject *args) { opts.remote_name = remote_name; opts.checkout_branch = checkout_branch; + if (credentials != Py_None) { + opts.remote_callbacks.credentials = credentials_cb; + opts.remote_callbacks.payload = credentials; + } + err = git_clone(&repo, url, path, &opts); if (err < 0) return Error_set(err); @@ -452,6 +466,9 @@ moduleinit(PyObject* m) /* Direction for the refspec */ ADD_CONSTANT_INT(m, GIT_DIRECTION_FETCH) ADD_CONSTANT_INT(m, GIT_DIRECTION_PUSH) + /* Credential types */ + ADD_CONSTANT_INT(m, GIT_CREDTYPE_USERPASS_PLAINTEXT) + ADD_CONSTANT_INT(m, GIT_CREDTYPE_SSH_KEY) /* Blame */ INIT_TYPE(BlameType, NULL, NULL) diff --git a/src/remote.c b/src/remote.c index a1322bf..dee9b5a 100644 --- a/src/remote.c +++ b/src/remote.c @@ -156,6 +156,14 @@ progress_cb(const char *str, int len, void *data) return 0; } +static int +credentials_cb(git_cred **out, const char *url, const char *username_from_url, unsigned int allowed_types, void *data) +{ + Remote *remote = (Remote *) data; + + return callable_to_credentials(out, url, username_from_url, allowed_types, remote->credentials); +} + static int transfer_progress_cb(const git_transfer_progress *stats, void *data) { @@ -632,6 +640,18 @@ PyGetSetDef Remote_getseters[] = { PyMemberDef Remote_members[] = { MEMBER(Remote, progress, T_OBJECT_EX, "Progress output callback"), + MEMBER(Remote, credentials, T_OBJECT_EX, + "credentials(url, username_from_url, allowed_types) -> credential\n" + "\n" + "Credentials callback\n" + "\n" + "If the remote server requires authentication, this function will\n" + "be called and its return value used for authentication.\n" + "\n" + ":param str url: The url of the remote\n" + ":param username_from_url: Username extracted from the url, if any\n" + ":type username_from_url: str or None\n" + ":param int allowed_types: credential types supported by the remote "), MEMBER(Remote, transfer_progress, T_OBJECT_EX, "Transfer progress callback"), MEMBER(Remote, update_tips, T_OBJECT_EX, "update tips callback"), {NULL}, @@ -692,10 +712,12 @@ wrap_remote(git_remote *c_remote, Repository *repo) py_remote->repo = repo; py_remote->remote = c_remote; py_remote->progress = NULL; + py_remote->credentials = NULL; py_remote->transfer_progress = NULL; py_remote->update_tips = NULL; callbacks.progress = progress_cb; + callbacks.credentials = credentials_cb; callbacks.transfer_progress = transfer_progress_cb; callbacks.update_tips = update_tips_cb; callbacks.payload = py_remote; diff --git a/src/types.h b/src/types.h index 3e704a7..cfd0009 100644 --- a/src/types.h +++ b/src/types.h @@ -202,6 +202,7 @@ typedef struct { git_remote *remote; /* Callbacks for network events */ PyObject *progress; + PyObject *credentials; PyObject *transfer_progress; PyObject *update_tips; } Remote; diff --git a/src/utils.c b/src/utils.c index 44acf5c..24b6bbd 100644 --- a/src/utils.c +++ b/src/utils.c @@ -153,3 +153,92 @@ on_error: return -1; } + +static int +py_cred_to_git_cred(git_cred **out, PyObject *py_cred, unsigned int allowed) +{ + PyObject *py_type, *py_tuple; + long type; + int err = -1; + + py_type = PyObject_GetAttrString(py_cred, "credential_type"); + py_tuple = PyObject_GetAttrString(py_cred, "credential_tuple"); + + if (!py_type || !py_tuple) { + printf("py_type %p, py_tuple %p\n", py_type, py_tuple); + PyErr_SetString(PyExc_TypeError, "credential doesn't implement the interface"); + goto cleanup; + } + + if (!PyLong_Check(py_type)) { + PyErr_SetString(PyExc_TypeError, "credential type is not a long"); + goto cleanup; + } + + type = PyLong_AsLong(py_type); + + /* Sanity check, make sure we're given credentials we can use */ + if (!(allowed & type)) { + PyErr_SetString(PyExc_TypeError, "invalid credential type"); + goto cleanup; + } + + switch (type) { + case GIT_CREDTYPE_USERPASS_PLAINTEXT: + { + const char *username, *password; + + if (!PyArg_ParseTuple(py_tuple, "ss", &username, &password)) + goto cleanup; + + err = git_cred_userpass_plaintext_new(out, username, password); + break; + } + case GIT_CREDTYPE_SSH_KEY: + { + const char *username, *pubkey, *privkey, *passphrase; + + if (!PyArg_ParseTuple(py_tuple, "ssss", &username, &pubkey, &privkey, &passphrase)) + goto cleanup; + + err = git_cred_ssh_key_new(out, username, pubkey, privkey, passphrase); + break; + } + default: + PyErr_SetString(PyExc_TypeError, "unsupported credential type"); + break; + } + +cleanup: + Py_XDECREF(py_type); + Py_XDECREF(py_tuple); + + return err; +} + +int +callable_to_credentials(git_cred **out, const char *url, const char *username_from_url, unsigned int allowed_types, PyObject *credentials) +{ + int err; + PyObject *py_cred = NULL, *arglist = NULL; + + if (credentials == NULL || credentials == Py_None) + return 0; + + if (!PyCallable_Check(credentials)) { + PyErr_SetString(PyExc_TypeError, "credentials callback is not callable"); + return -1; + } + + arglist = Py_BuildValue("(szI)", url, username_from_url, allowed_types); + py_cred = PyObject_CallObject(credentials, arglist); + Py_DECREF(arglist); + + if (!py_cred) + return -1; + + err = py_cred_to_git_cred(out, py_cred, allowed_types); + Py_DECREF(py_cred); + + return err; +} diff --git a/src/utils.h b/src/utils.h index 81744f6..7f95d73 100644 --- a/src/utils.h +++ b/src/utils.h @@ -117,6 +117,8 @@ const char *py_str_borrow_c_str(PyObject **tvaue, PyObject *value, const char *e PyObject * get_pylist_from_git_strarray(git_strarray *strarray); int get_strarraygit_from_pylist(git_strarray *array, PyObject *pylist); +int callable_to_credentials(git_cred **out, const char *url, const char *username_from_url, unsigned int allowed_types, PyObject *credentials); + #define py_path_to_c_str(py_path) \ py_str_to_c_str(py_path, Py_FileSystemDefaultEncoding) diff --git a/test/test_credentials.py b/test/test_credentials.py new file mode 100644 index 0000000..3bdeb6f --- /dev/null +++ b/test/test_credentials.py @@ -0,0 +1,93 @@ +# -*- coding: UTF-8 -*- +# +# Copyright 2010-2014 The pygit2 contributors +# +# This file is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License, version 2, +# as published by the Free Software Foundation. +# +# In addition to the permissions in the GNU General Public License, +# the authors give you unlimited permission to link the compiled +# version of this file into combinations with other programs, +# and to distribute those combinations without any restriction +# coming from the use of this file. (The General Public License +# restrictions do apply in other respects; for example, they cover +# modification of the file, and distribution when not linked into +# a combined executable.) +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to +# the Free Software Foundation, 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. + +"""Tests for credentials""" + + +import unittest +import pygit2 +from pygit2 import GIT_CREDTYPE_USERPASS_PLAINTEXT +from pygit2 import UserPass, Keypair +from . import utils + +REMOTE_NAME = 'origin' +REMOTE_URL = 'git://github.com/libgit2/pygit2.git' +REMOTE_FETCHSPEC_SRC = 'refs/heads/*' +REMOTE_FETCHSPEC_DST = 'refs/remotes/origin/*' +REMOTE_REPO_OBJECTS = 30 +REMOTE_REPO_BYTES = 2758 + +ORIGIN_REFSPEC = '+refs/heads/*:refs/remotes/origin/*' + +class CredentialCreateTest(utils.NoRepoTestCase): + def test_userpass(self): + username = "git" + password = "sekkrit" + + cred = UserPass(username, password) + self.assertEqual((username, password), cred.credential_tuple) + + def test_ssh_key(self): + username = "git" + pubkey = "id_rsa.pub" + privkey = "id_rsa" + passphrase = "bad wolf" + + cred = Keypair(username, pubkey, privkey, passphrase) + self.assertEqual((username, pubkey, privkey, passphrase), cred.credential_tuple) + +class CredentialCallback(utils.RepoTestCase): + def test_callback(self): + def credentials_cb(url, username, allowed): + self.assertTrue(allowed & GIT_CREDTYPE_USERPASS_PLAINTEXT) + raise Exception("I don't know the password") + + remote = self.repo.create_remote("github", "https://github.com/github/github") + remote.credentials = credentials_cb + + self.assertRaises(Exception, remote.fetch) + + def test_bad_cred_type(self): + def credentials_cb(url, username, allowed): + self.assertTrue(allowed & GIT_CREDTYPE_USERPASS_PLAINTEXT) + return Keypair("git", "foo.pub", "foo", "sekkrit") + + remote = self.repo.create_remote("github", "https://github.com/github/github") + remote.credentials = credentials_cb + + self.assertRaises(TypeError, remote.fetch) + +class CallableCredentialTest(utils.RepoTestCase): + + def test_user_pass(self): + remote = self.repo.create_remote("bb", "https://bitbucket.org/libgit2/testgitrepository.git") + remote.credentials = UserPass("libgit2", "libgit2") + + remote.fetch() + +if __name__ == '__main__': + unittest.main() diff --git a/test/test_repository.py b/test/test_repository.py index 8e8101c..71214cc 100644 --- a/test/test_repository.py +++ b/test/test_repository.py @@ -461,6 +461,13 @@ class CloneRepositoryTest(utils.NoRepoTestCase): self.assertFalse(repo.is_empty) self.assertEqual(repo.remotes[0].name, "custom_remote") + def test_clone_with_credentials(self): + credentials = pygit2.UserPass("libgit2", "libgit2") + repo = clone_repository( + "https://bitbucket.org/libgit2/testgitrepository.git", + self._temp_dir, credentials=credentials) + + self.assertFalse(repo.is_empty) # FIXME The tests below are commented because they are broken: #